How It Works
An Active Directory resource in Infisical PAM represents a domain controller and acts as the organizational hub for domain-joined machines. Windows Server resources can be linked to an AD resource to indicate they belong to that domain. When a user needs to access domain resources, they navigate to an AD account and select from the list of related Windows servers that are joined to the domain.Key Concepts
- Domain Controller: The AD Server resource represents your domain controller. It stores the domain name, DC address, and serves as the parent for domain-joined resources and domain accounts.
- Domain Join: Windows Server resources can be associated with an AD Server resource to indicate they are part of that Active Directory domain. This enables you to view all domain-joined servers from the AD resource’s Related Resources tab.
- Related Resources: From an AD account’s detail page, users can see all Windows servers joined to the domain. This provides a clear view of which machines are accessible with domain credentials.
- Account Types: AD accounts can be categorized as either User accounts or Service accounts, allowing you to organize and manage different types of domain credentials.
Prerequisites
Before configuring Active Directory access in Infisical PAM, you need:- Infisical Gateway - A Gateway deployed in your network with access to the AD domain controller
- LDAP Access - The domain controller must be reachable on the LDAP port (default: 389)
- Domain Credentials - A username and password for an Active Directory account
Create the PAM Resource
The PAM Resource represents the Active Directory domain controller you want to manage.Ensure Gateway is Running
Before creating the resource, ensure you have an Infisical Gateway running and registered with your Infisical instance. The Gateway must have network access to your AD domain controller.
Create the Resource in Infisical
- Navigate to your PAM project and go to the Resources tab
- Click Add Resource and select Active Directory
- Fill in the connection details:
A friendly name for this resource (e.g.,
corp-dc, prod-domain-controller)Select the Gateway that has network access to this domain controller
The Active Directory domain name (e.g.,
corp.example.com)The hostname or IP address of the domain controller (e.g.,
10.0.1.10 or dc.corp.example.com)The LDAP port (default:
389)Create PAM Accounts
A PAM Account represents a specific Active Directory user account in the domain. You can create multiple accounts per resource with different permission levels.Navigate to the Resource
After creating the resource, click into it to open the resource detail view. Select the Accounts tab on the right.
Fill in Account Details
Fill in the account details:Clicking Create Account will validate the credentials by performing an LDAP bind against the domain controller through the Gateway.
A friendly name for this account (e.g.,
domain-admin, svc-deploy)Select the type of AD account:
- User Account - A standard Active Directory user account
- Service Account - An Active Directory service account
The Active Directory username (e.g.,
admin or svc-deploy). Credentials are validated using UPN format (username@domain) against the domain controller.The Active Directory password for this user
Domain Join (Related Resources)
Active Directory resources support linking Windows Server resources to represent domain membership. This allows you to see all servers that belong to a particular AD domain from a single view.Joining a Windows Server to a Domain
When creating or editing a Windows Server resource, you can select an Active Directory Domain from the dropdown. This associates the Windows server with the AD domain controller, indicating that it is a domain-joined machine.Viewing Related Resources
Once Windows servers are associated with an AD resource, you can view them from the AD resource’s detail page:- Navigate to the Active Directory resource
- Select the Related Resources tab (next to the Accounts tab)
- All Windows servers (and other resources) joined to this domain are listed here